Nerdy Security Discussion

Ok, I’ve been having a debate in my head for about a week now, and so I figured I’d open it up for discussion:

Right now, I have three classifications of passwords:

• “Secure” - A memorable, yet obscure base (would look random to most people) with host-specific unique data inserted within (via a mental hash function)
• “Screen-door lock” - a simple mixed case alphanumeric password I reuse across multiple hosts. This is for hosts (typically, random Web sites) where it would be mildly irritating if someone had access to my account…
• “Who cares” - This is for the hosts that I don’t care about yet require me to input a password. It is a completely insecure, throwaway password. It could probably be brute-forced in about 30 seconds.

I began thinking about whether or not it would be ultimately more secure to have one classification of password (really secure, pseudo random noise) and store those passwords in a single, encrypted password store behind a single “secure” password. This store would obviously be very backed up and treated as other personal data.

Clearly, this is a single point of failure, so if someone compromises my password store, everything is compromised. On the other hand, each individual password would be far less guessable…

Opinions?